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The significant enhancement in demand for bring your own device (BYOD) 
mechanism in several organizations has sought the attention of several 
researchers in recent years. However, the utilization of BYOD comes with a 
high risk of losing crucial information due to lesser organizational control on 
employee-owned devices. The purpose of this article is to review and 
analyze the various security threats in BYOD; further we review the existing 
work that was developed in order to reduce the risks present in BYOD. A 
detailed review is presented to detect BYOD security threats and their 
respective security policies. A phase-by-phase mitigation strategy is 
developed based on the components and crucial elements identified using 
review policy. Managerial-level, social-level and technical level issues are 
identified such as illegal access, leaking delicate company data, lower 
flexibility, corporate data breaching, and employee privacy. It is analyzed 


that collaboration of people, security policy factors and technology in an 
effective manner can mitigate security threats present in the BYOD 
mechanism. This article initiates a move towards filling the security gap 
present the BYOD mechanism. This article can be utilized for providing 
guidelines in various organizations. Ultimately, successful implementation 
of BYOD depends upon the balance created between usability and security. 
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1. INTRODUCTION 

In last decade we have seen revolution in personal device, especially in number of smartphone, 
tablets and laptops; moreover, the number of users has increased enormously; these smartphones and tablets 
work with high-speed internet. The high-tech functionalities of these smartphones and tablets have motivated 
many organizations to utilize these smart devices in their workspace [1], [2], The high utilization of these 
smartphones is mainly due to two reasons. First, end users can have access through a massive number of apps 
and can easily install them according to their requirement using demand-based mobile distribution model 
(MDM), which is a public application store for various platforms [3]-[6]. Second, the development of 
advanced mobile operating systems like Android, iOS and Windows which has given strength to the 
development of extensive varieties of powerful devices. A new mechanism bring your own device (BYOD) 
has emerged in the market especially in workplaces. Using this mechanism, organization staff can easily link 
their smartphones and tablets with organization network to get access to their business information, client 
details and corporate data and conduct daily corporate activities [7]-[9]. Moreover, employees can utilize 
their devices for both corporate activities and personal use. This motivates employees to involve more 
incorporate functionalities and work activities by utilizing their smartphones, tablets. BYOD has tremendous 
benefits and convenience to a variety of business functionalities such as the high amount of work efficiency, 
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flexibility, organization staff satisfaction, and cost reduction, reduction in IT acquisition and many 
productivity advantages [10]-[13]. In recent years, the utilization of BYOD mechanism has become “hot tech 
trend”. Recently, a survey claims that almost 95% of organizational staff utilize at least one personal device 
for finishing their corporate works at the work station or any remote location [14]-[16]. Some reports show 
that almost 70% of the enterprises in many developed countries like USA, Australia, Spain, Germany and 
Malaysia has already adopted BYOD [17]. However, the high utilization of smartphones and tablets in 
corporate institutions in recent years has led to various security issues in the organization. The staff-owned 
and controlled devices access organization intranet and work on several networks. Thus, sensitive corporate 
information and details may be compromised unintentionally while sending emails to the clients via public 
mail services, by utilizing public cloud storage facilities like Samsung cloud, Apple’s iCloud and Dropbox 
for storing corporate documents or by interacting with voice assistants through smartphones [18]. Further, a 
corporate employee may intentionally or wickedly incorporate malware to the corporate network using his or 
her own virus-infected smartphones. Numerous researchers have provided a significant amount of work to 
provide an efficient and secure BYOD mechanism and some of the literature. In [18], a passive security 
mechanism is presented for reducing threats in the BYOD devices. Here, a non-intrusive big-data technique 
is adopted for tracking usage patterns. In [19], a smart risk management framework is introduced for BYOD 
technique to deal with data breaches in a corporate environment. In [20], a BYOD security enhancement 
method is introduced based on techniques such as software-defined networking (SDN), enterprise mobile 
management (EMM) and network function virtualization (NFV). In [21], a machine learning technique is 
introduced in which faulty and suspicious URL’s can be detected using supervised machine learning 
techniques. However, the malicious activities and security threats have widely enhanced in recent time hence 
the efficiency of these above techniques is reduced in practical implementation for a BYOD environment. 

BYOD can enhance a significant amount of productivity of an enterprise. Moreover, this technique 
can reduce the cost of the organization, enhances flexibility as well as increases employee productivity. It 
gives a new interaction medium to the staff for communicating with clients as well as their colleagues 
resulting in productivity enhancement and permits staff to work from any remote location efficiently. This 
technique can become a bridge to fulfil the gap between corporate technologies and client solutions. Hence, 
this review article provides a detailed analysis of security. Further, this research focuses on various security 
issues, which can be experienced while utilizing BYOD policies are discussed and several secured methods 
are discussed to eliminate these issues. In addition, an effort has been made to provide guidelines for various 
organizations about several security policies and their proficient implementation. A discussion on the effects, 
which can be seen in various organizations in terms of security threats and their reduction by implementing 
these guidelines, has been presented. 

This paper is organized: in section 2, security-related issues in BYOD policies are discussed and 
tackling these issues through various approach has been highlighted. In section 3, a detailed analysis of security 
issues, how to mitigate those issues and various security policies is discussed. In section 4, a detailed analysis 
about mentioned security policies in BYOD mechanism is presented and section 5 concludes the paper. 


2. RELATED WORK 

BYOD mechanism has been the demand of hour in recent days due to various situation, one of them 
being pandemic related. This technique can reduce the high costs required for the institutional set up to work 
in a company as well as a hefty investment needed for the distribution of hardware devices to employees 
from companies. However, security is the major concern for BYOD technique as both corporate and personal 
information remain on stake due to daily enhancement in malicious activities, which may concern employees 
as well as company authorities. Moreover, there are several mechanisms that have been proposed as a BYOD 
security solution, some of them were light weighted less complex with easy policy which follows the 
integration into other hardware domain such as given [22]-[31]; although these method does provide a fair 
and secure integration, they ignored some of the basic protocol of security due to major focus on IoT-domain. 
Furthermore, we have reviewed some of the important work that has mainly focused on the BYOD Security 
policy. In [32], a border patrol technique is adopted which works upon fine-grained contextual data to secure 
BYOD network. This method avoids unwanted functionalities like advertisements, analytical functionalities 
and unwanted cookies by blocking their packets. In [33], a virtual micro security technique is introduced for 
BYOD mechanism based on information protection abstraction, which can track malicious data packages. 
Throughput is considered high using this phenomenon. In [34], a deep learning context-based framework is 
introduced to reduce the security threats in BYOD environment. Here, artificial neural network and machine 
learning techniques are adopted to identify threat attacks and suspicious activities in smartphones. In [35], a 
BYOD evaluation mechanism is introduced to assess dynamic security threats in smartphones. This 
assessment mechanism is utilized for BYOD vulnerability evaluation based on their vulnerability score. 
However, tracking and accessing an extensive amount of relevant information is a very challenging process. 
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In [36], security threats, challenges, policies and their solutions for a BYOD mechanism are reviewed. Here, 
an inclusive security policy mechanism is introduced which tells about characteristics of a flexible and 
secured policy. In [37], a behaviour identification model is adopted for BYOD mechanism using theoretical 
determinants. This model evaluates that certain activities are malicious or not based on their behaviour 
patterns. This model is tested upon various employees of Oman. In [38], some necessary factors for the 
implementation of BYOD mechanism in schools are discussed. The data of 204 teachers are tested which is 
collected from 5 different schools. This study discusses the factors such as network security, content filtering 
and training for the maintenance of BYOD mechanism. Few researchers provided solutions to counter these 
threats which are associated with high overhead. And most of the researchers have provided review and 
evaluation model for BYOD mechanism. These issues are illegal access policies, leaking delicate company 
data, lower flexibility, corporate data breaching, employee privacy compromised, misuse, stolen device, and 
security unbalancing. Based on above factors, a detailed analysis of security issues present in the BYOD 
mechanism, their effects, mitigation strategies, various security policies and implementation of those policies 
in future work are discussed. Moreover, security guidelines are provided for organizations to mitigate 
security threats occur in BYOD mechanism. 


3. SECURITY ANALYSIS IN BYOD MECHANISM 

A comprehensive security analysis of BYOD framework is presented in the following section: in 
general BYOD has the security policy which helps in minimizing the threat, hence we have named it as 
security threat reduction policy framework aka security threat reduction policy (STRP) and analyze the 
different security framework, along with various challenges. A security threat reduction policy framework for 
BYOD mechanism is presented for the identification of security issues present in BYOD and provide 
solutions to mitigate these issues. STRP framework combines seven steps to form a decisive and proficient 
solution to reduce security threats in BYOD and incorporates a comprehensive life cycle of BYOD 
mechanism. The life cycle of a BYOD mechanism starts from granting permission to an employee from the 
organization to use their devices for corporate activities and work. This BYOD life cycle ends when those 
particular devices are revoked. STRP framework is designed to introduce a risk assessment system for 
BYOD security threats. These seven steps are strategize, recognize, defend, detect, retaliate, retrieve, 
evaluate and observe. These steps help to design a security threat reduction policy framework which can 
mitigate security threats in BYOD mechanism. Several crucial elements of the STRP framework can be 
identified based on the mechanism which mainly depends upon three categories. First, people involved in 
security procedures. Second, the security policy factors which helps to design a security guideline manual for 
ideal employee behavior concerning BYOD security. Third, a technology which holds up security 
procedures. The following section discusses major security challenges faced in the BYOD mechanism which 
are identified from various literature. 


3.1. Security challenges identified in BYOD 

Security challenges in BYOD plays a major role, security challenges identification helps in reducing 
the different kind of threats. Although there are number of security challenges, this section discusses several 
security challenges which has major impact while designing the BYOD security framework. Furthermore, 
this section mostly focuses from data center perspective. 


3.1.1. Recognition, validation and access control challenges 

BYOD implies that several employees of an organization perform various corporate activities with 
their own devices. For security reasons, these devices need to be protected using very essential in-built device 
authentication and locking mechanism such as PIN, passwords, patterns, face recognition and fingerprint 
access to protect crucial information present in the employee devices. However, various surveys show that a 
massive number of employees do not utilize this type of authentication security features [39]. There is 
minimal control of an organization on their employees in the way they access their devices, which is a reason 
for excess information breach in several organizations. Moreover, the possibilities of information breaching 
may enhance when employees work from a remote location or access corporate functionalities from outside 
the company perimeter. Moreover, cybercriminals can easily hack these BYOD devices and can utilize 
employee details to access unauthorized information of an organization and cause harm to their business 
activities. 


3.1.2. Device and information security problems 


Employee-owned devices are susceptible to various malicious activities like malware, virus, worms, 
and spyware. Additionally, organizational authorities have no clue what type of applications or programs, 
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employees are running on their devices. In contrast, company-maintained devices generally have all the 
applications or programs prior installed with severe security policies incorporated in those devices. 
Therefore, the possibility of data leakage of an organization is more in employee-owned devices than 
company-maintained devices. Recently, several applications, websites and software utilizes ‘caches’ which is 
a temporal repository for storing information. The ‘caches’ may keep crucial information about the 
organization and may expose to unauthorized people. Moreover, employees can attract well-designed 
programs or applications, which have minimal security encryption policies, enhancing the possibility of 
information leakage. The utilization of BYOD mechanism means several devices, which are owned by 
employees, are connected to a single organization network in which many devices may consist of malicious 
software and applications. Finally, employee-owned devices may get stolen or lost which remain unprotected 
and unencrypted in major cases and can be easily exposed by intruders which may cause severe security 
threats. Most information breach cases are registered at the time of device lost or stolen. 


3.1.3. Network security challenges 

The utilization of BYOD mechanism shows the possibility of malicious software and applications in 
employee-owned devices links to the same network is much higher than in company-owned devices due to 
restricted access. This may lead to a high-level security threat and crucial client information may leak. A 
hacker can easily expose these security drawbacks of BYOD mechanism by accessing organizational 
network whenever employees connect to a local network in the organization. Recently, several employees 
have demanded data center access while work from outside company premises or work from home. This 
shows that risks are higher while using BYOD mechanism. 


3.1.4. Management challenges 

Strict guidelines and security policies are very essential for enhancing security structures in the 
BYOD model for employee-owned devices. Absence of these security policies and guidelines may cause 
higher security threats as well as misinterpretation of data, resulting in immoral security practices. 
Additionally, lack of knowledge in employees about secured policies may lead to severe security threats. 
Security enhancement in devices requires additional cost. Certain organization imposes guidelines on 
employees such as the utilization of long and intricate passwords, automatic session expired functionalities in 
certain time-period. However, these strict guidelines can affect usability and can irritate many employees. 


3.1.5. Compliance challenges 

The utilization of BYOD in many organizations is a very complex process. First, these organizations 
do not have any control on employee-owned devices. Second, all organizations need to follow several legal 
laws and guidelines. This shows that these organizations need to impose severe security guidelines to save 
their customer’s crucial information. 


3.2. BYOD security policy 

A comprehensive discussion of a proficient and secure BYOD security policy is presented here. The 
seven steps mentioned in review of security threat reduction policy (STRP) framework, which are strategy, 
recognize, defend, detect, retaliate, retrieve, evaluate and observe. These security policies have been 
discussed througoghly later in the section. 
— Strategy 

This phase is very crucial for authorities (higher management) in an organization for the design and 
implementation of BYOD mechanism. Several steps require to design the BYOD mechanism which is: At 
first, higher management authorities have to design a strong and efficient BYOD model by establishing a 
strong relationship with all the people who are involved in this BYOD model such as all the managers, 
employees, shareholders, managerial authorities and they need to work as one link and follow every 
compulsory guideline given by higher authorities. To design such a BYOD policy which works in a 
streamline with an organization’s mission and vision. Thus, initially, a clear picture of that organization’s 
capabilities, their functionalities and their requirement is necessary for design a proficient BYOD policy. A 
mobile device management (MDM) can be utilized which can control all the mobile devices linked to the 
internal network of the organization and can comprehensively manage their information. BYOD awareness 
program can be placed for employees so that their understanding of BYOD improves. 
— Recognize 

This phase majorly discusses the device registration of employees and their training about BYOD 
policy guidelines and security. Employees submit their request for registration of their devices. Then, the IT 
department analyzes that the requested device is permitted or not under the guidelines of BYOD policy. All 
the devices will have a minor background check for security measures and the people with higher access to 
organization resources will have a major background check. The organizational authorities can install certain 
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security threat management technologies or configure high-security settings; finally, a training session can be 
arranged for an employee for a clear understanding of BYOD security measures and how to follow them. 
— Defend 

This phase discusses the factors which can impact BYOD policy and how to deal with them; an 
authentication system should incorporate to defend from cybersecurity threats. The utilization of passwords, 
patterns and biometric authentication in BYOD devices need to make mandatory for protecting information. 
One-time authenticate mechanism will have to be incorporated in BYOD policy that means once an 
employee is authenticated to utilize one functionality of the enterprise then no need to authenticate again for 
other functionalities of the organization for that particular session so that they can focus more on work. An 
internal application and software store can be incorporated so that only trusted application or software are 
used which are prior tested by the IT authorities. The organizational network needs to be protected with high 
layer advanced encryption protocol to protect from any kind of malicious activities. 
— Detect 

This phase discusses the detection of security threats in the organization and how to mitigate them; 
all the employees should have a clear understanding about BYOD security threats and what are the signs that 
their device is affected by any kind of malware. Proper knowledge of the security threats in employees can 
reduce future threats. All the employees should have anti-malware and anti-virus installed in their devices 
suggested by IT authorities and should regularly scan them. To avoid information breaching and 
unauthorized data transmission, visualization software can be utilized by the organization. To avoid device 
loss, MDM can be utilized which can continuously track all employee devices based on their location. 
—  Retaliate 

This particular phase highlights the actions required for a security breach or data leakage; 
High-security firewalls and anti-virus software can be installed in affected device and malware can be 
removed after successful detection. If particular application or website is infected, then it should be 
blacklisted for further used. In case of any malicious activities, MDM should be utilized to wipe out all the 
corporate details with employee properties. 
— Retrieve 

This phase will describe the prevention methods of a security breach from employee-owned 
devices. An organization should prevent employees to utilize shared or public data storage platforms for 
corporate details and activities. Maximum protection can be provided by incorporating their private cloud for 
data storage based on the organization’s budget. Virtualization can be utilized so that the personal space of 
employee-owned devices is not used and employee can directly store and access information from the 
organization data storage center where security remains extremely high. 
— Evaluate and observe 

The last phase describes how crucial is feedback when the security policies and environment and 
technology is continuously changing. Therefore, certainly taken into consideration while developing any 
security policy. With the rise of technology and utilization of BYOD devices, regular checkups, security 
updates and feedbacks become very crucial. The organization has to review the entire system in a certain 
period and detect security gaps present in the system; further, Table 1 represents problem identification in 
BYOD mechanism and their solutions. 


Table 1. Analysis of problem identification and their respective solutions and effects in the organization 


Problem Identification 


Respective Solution 


Effect 


Either weak or no security policies are 
utilized by several organizations 
Provided Privilege misuse by employees 


Possibilities of identification thefts 


Utilization of virus integrated software 
and applications by employees 


Ensure 2-factor authentication 
wherever required 

Use responsibility-based privilege 
control, incorporate automated log- 
off activity, a fine employee if 
security breached 

MDM can be utilized for validation 
and information storage on 
employee devices can be minimized 
Blacklisted websites and application 
list should circulate to employees 


Security gets enhanced and unauthorized access 
get denied and data security achieved 

Client access is provided based on_ their 
responsibilities and fines will ensure proper use 
of guidelines circulated 


IT department can easily track and record 
security breaching and cybercrimes can be 
reduced 
Minimizes the risk of data breaching and faulty 
applications can be removed by _ regular 
checkups 


4. ANALYSIS OF BYOD SECURITY POLICY 


The main aim of this review article is to find out all the security issues faced by an organization 
using BYOD mechanism and required security policies to reduce those issues. The STRP framework is 
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extremely helpful in understanding all the issues faced by an organization, their effects and their respective 
mitigation policies. Moreover, very few articles have comprehensively analyzed security issues and their 
respective policies phase by phase, which is done in this article. This review work can be utilized for 
providing guidelines in various organizations. Furthermore, considering the analysis of security work in 
BYOD, there are other two work which has done empirical survey and strengths, weaknesses, opportunities, 
and threats (SWOT) analysis in [40] and [41] respectively. 


5. CONCLUSION AND FUTURE WORK 

BYOD is a crucial and important trend of recent time to enhance the productivity of an organization 
while reducing cost and establishing a stronger bond between company employees and an organization. 
However, security threats present in BYOD mechanism has always is a cause of concern to the authorities of the 
organization. However, these threats can be mitigated by following certain guidelines, installing highly-secured 
software and by designing a secured policy for BYOD. Several issues have been identified such as managerial- 
level, social-level and technical level and their effects also explained comprehensively. All the crucial elements 
like people, security policy factors and technology used are considered and a mitigation strategy is explained 
comprehensively phase by phase. It is analyzed that collaboration of people, security policy factors and 
technology in an effective manner can mitigate security threats present in the BYOD mechanism. Future work 
may involve a work on following aspects such as How BYOD is implemented in several organizations in real- 
time? How it remains secure from security threats and what kind of security policies and technologies are 
utilized? What are the security threats and how information is not compromised while working from home by 
employees in their own devices due to COVID-19 pandemic in 2021? Moreover, this research review article has 
limitations in conducting review as we have focused only on the review of BYOD security policy relevant to 
our work and there is other area such as efficient and productive security. 
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